Biometric passwords: No!

Please sit down, we need to have a talk, programmer to programmer.

Over the last decade we’ve had a lot of problems with authentication. For example, we’ve stored plain text passwords in the database. We’ve learned from this and nobody is doing this anymore right? If you are, please deposit your programming-license in the nearest trash can.

Latest challenge: Biometrics

It is time to talk about the latest problem in IT: biometric data.

Some websites are using biometrics, such as your fingerprint, as your password. This sounds great, very hard to fake, unique to you. But there is a problem… what happens when there is a data leak?

If you store passwords in the database (hashed or not), and they get leaked, it is bad. You need to tell all the users to change their passwords immediately. But what happens when you store biometric data and it gets leaked?

The only way to change your fingerprint is this:

Rather painful… and even worse, all devices and websites that use your fingerprint have the same password.

We don’t want to share passwords on multiple websites/devices!

Not a password

There is no real solution, as long as you ensist of using biometric data as a password. Even if you use a nice salted hash, it will eventually be leaked, with big consequences.

A better way to use biometrics in authentication is to treat it as a username. It is a great match, it identifies you. It is not your secret password, it is your username. That means you still need to provide a password, but having the added biometric username does increase security a lot. Of course if there is a database leak, your fingerprint can still be stolen, but that is the entire point. If you touch a glass door you’re also leaving your fingerprint. Using fingerprints as password is like dropping pieces of paper with your secret password all over the place.

Fingerprints (and other biometrics) are not secure, you can never change them once compromised, not suited as passwords. If you really want to use it, use them as usernames.